Squoggle

Mac's tech blog

Category Archives: Linux Mint

Linux Mint 22 – Custom UEFI LVM Installation

Leave a comment Posted by on December 30, 2024

Linux Mint’s Cinnamon desktop is one of the most productive and visually clean environments. However, its installation process has limitations, such as minimal support for Logical Volumes (LVM) on multiple devices. This guide provides a detailed walkthrough for configuring Linux Mint 22 with UEFI and LVM across multiple storage devices, allowing for advanced customization.

This guide documents the steps I followed to install Linux Mint 22 using Logical Volumes across multiple physical storage devices. By sharing this process, I aim to help others replicate this setup, whether on virtual machines or physical hardware

My Setup

For this installation I am doing the installation and configuration on a VirtualBox Virtual machine to test the process and in theory duplicate the process on a physical host. The salient details of the hardware are follows:

HardwareVirtual MachinePhysical Machine
Memory32 GB64 GB
Processors48
Disk via SATA Controller100 GB1 TB
Disk via NVME Controller10 GB2 TB

Partitioning

One of the reasons I’m doing this custom installation is that the automated installation does not allow me to customize the partitioning. One of the things I want to accomplish is customizing the amount of swap space so that I can configure Hibernation on this host. In order to do so I need more swap space defined than I have configured in memory. The below table is an outline of the physical devices and partitions I want to create:

Partition Setup Overview

/dev/sda:

  1. /dev/sda1: EFI partition (1 GB, FAT32).
    • The EFI partition only needs to hold the bootloader and essential EFI files. A 1 GB size provides ample space for future updates or additional boot entries, without wasting disk space.
  2. /dev/sda2: 4GB ext4 filesystem mounted at /boot
    • The /boot partition houses the Linux kernel, initramfs, and other boot-related files. A 4 GB allocation ensures sufficient space for kernel updates, multiple kernels, and recovery options, especially useful if the system uses custom kernels.
  3. /dev/sda3: Physical Volume (PV) for LVM for swap space (48 GB) and for root file system (remaining space).
    • Allocating the remaining space to an LVM PV provides flexibility. It allows dynamic resizing of logical volumes for swap and the root filesystem as needs evolve. By defining a large swap space (48 GB), the system supports hibernation, which requires swap space to be at least equal to the amount of installed memory. The rest is allocated to the root filesystem to hold the operating system and application files.

/dev/nvme0n1:

  1. Physical Volume (PV) for LVM for /home (entire device).
    • Using the entire NVMe device for the /home logical volume ensures fast access to user data and provides a clear separation from the root filesystem. This approach enhances performance and simplifies backups or future migrations of user data.

Steps to Configure /dev/sda

1. Open GParted

  1. Boot into the Linux Mint live session.
  2. Launch GParted from the menu.
  3. Select /dev/sda from the dropdown at the top-right.

2. Create GPT Partition Table on /dev/sda

  1. Go to Device > Create Partition Table.
  2. Select GPT as the new partition table type and click Apply.

3. Create EFI Partition

  1. Right-click on the unallocated space and select New.
  2. Configure:
    • Size: 1 GB.
    • File System: fat32.
    • Label: EFI.
  3. Click Add.
  4. Apply all changes:
    • Click the checkmark (green tick). Click Apply.
  5. Set flags:
    • Right-click the partition > Manage Flags.
    • Enable boot and esp flags.

4. Create Boot Partition

  1. Right-click on the unallocated space and select New.
  2. Configure:
    • Size: 4 GB.
    • File System: ext4.
    • Label: Boot.
  3. Click Add.

5. Create LVM Physical Volume

This LVM Physical Volume will contain both the SWAP space and the Root (“/”) file system.

  1. LVM/PV Partition:
    • Right-click the remaining unallocated space and select New.
    • Configure:
      • Size: Remaining Space.
      • File System: lvm2 pv
      • Label: SDA PV.
    • Click Add.
  2. Apply all changes:
    • Click the checkmark (green tick). Click Apply.

6. Check your work

You can check your work with the following terminal commands:

sudo pvdisplay
sudo fdisk -l /dev/sda

You should see indications of what you have created with Gparted.

Steps to Configure /dev/nvme0n1

Since the entire nvme device is going to be configured as LVM, nothing needs to be done other than what is done below in the terminal.

Setup LVM Using the Terminal

1. Prepare Physical Volumes

Run these commands in the terminal:

sudo pvcreate /dev/nvme0n1 # Physical Volume for /home

Verify the Physical Volumes have been created:

sudo pvdisplay

2. Create Volume Groups

sudo vgcreate vg_sda /dev/sda3
sudo vgcreate vg_nvme0 /dev/nvme0n1

Verify the Volume Groups:

sudo vgdisplay

3. Create Logical Volumes

  1. Swap:
    sudo lvcreate -L 96G -n lv_swap vg_sda
  2. Root:
    sudo lvcreate -l 100%FREE -n lv_root vg_sda
  3. Home:
    sudo lvcreate -l 100%FREE -n lv_home vg_nvme0

Verify the Logical Volumes:

sudo lvdisplay

4. Format Logical Volumes

I will be formatting the lv_root and lv_home Logical Volumes during the next section. It is not required to do it here.

Enable the swap Logical Volume:
sudo mkswap /dev/vg_sda/lv_swap

Verify everything with this:

lsblk -f

You should see a representation of how you have partitioned your devices

5. Mount Points in Installer

I’m using ext4 for compatibility and performance.

  1. During installation, choose Something Else.
  2. Assign:
    • /dev/mapper/vg_nvme0-lv_home: /home and format to ext4
    • /dev/mapper/vg_sda-lv_root: / and format to ext4
    • /dev/mapper/vg_sda-lv_swap: swap space
    • /dev/sda1: EFI System Partition automatically formatted to (FAT32)
    • /dev/sda2: /boot and format to ext4
  3. Set Device for boot loader installation to /dev/sda. /dev/sda is used for boot loader installation because it houses the EFI System Partition, ensuring compatibility, reliability, and ease of management in a UEFI-based system.

6. Install Linux Mint

  1. You should now be ready to install. Click the Install Now button.
  2. You will see a summary of what the installer is going to do. If you are satisfied, click the Continue button.
Linux, Linux Mint, Sys Admin , , , ,

Tailscale

Leave a comment Posted by on September 3, 2024

Build your own VPN.

These instructions cover how to install Tailscale on both Linux Mint 21.x and 22.x.

Linux Mint 21.x

Add Tailscale’s GPG key

$ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null

Add the tailscale repository:

$ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list

Install Tailscale:

$ sudo apt-get update && sudo apt-get install tailscale

Start Tailscale:

$ sudo tailscale up

Linux Mint 22.x

Add Tailscale’s GPG key

$ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null

Add the tailscale repository:

$ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/noble.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list

Install Tailscale:

$ sudo apt-get update && sudo apt-get install tailscale

Start Tailscale:

$ sudo tailscale up
Linux, Linux Mint, Sys Admin ,

Logical Volume on Nvme disk

Leave a comment Posted by on September 1, 2024

This blog post is how to configure a new Nvme SSD disk with Logical Volumes, format it and then mount it for use on your Linux system. The OS I’m doing this on is Linux Mint 22.0 but the steps are very similar on other Linux distros.

List Disks

The first step is to get information about the disks on your system. Do that with the lshw command:

$ sudo lshw -class disk
$ sudo lshw -class disk
  *-disk                    
       description: ATA Disk
       product: Samsung SSD 870
       physical id: 0
       bus info: scsi@0:0.0.0
       logical name: /dev/sda
       version: 3B6Q
       serial: S75BNL0X510488E
       size: 931GiB (1TB)
       capabilities: gpt-1.00 partitioned partitioned:gpt
       configuration: ansiversion=5 guid=0a659757-d6ef-4549-a6fe-ad2ca7f79fb2 logicalsectorsize=512 sectorsize=512
  *-cdrom
       description: DVD writer
       product: DVD+-RW DU-8A5LH
       vendor: PLDS
       physical id: 1
       bus info: scsi@1:0.0.0
       logical name: /dev/cdrom
       logical name: /dev/sr0
       version: 6D1M
       capabilities: removable audio cd-r cd-rw dvd dvd-r
       configuration: ansiversion=5 status=nodisc
  *-namespace:0
       description: NVMe disk
       physical id: 0
       logical name: hwmon1
  *-namespace:1
       description: NVMe disk
       physical id: 2
       logical name: /dev/ng0n1
  *-namespace:2
       description: NVMe disk
       physical id: 1
       bus info: nvme@0:1
       logical name: /dev/nvme0n1
       size: 1863GiB (2TB)
       configuration: logicalsectorsize=512 sectorsize=512 wwid=eui.0025384541a0abf0

The device I’m interested in here is logical name: /dev/nvme0n1which is a 2 TB device.

Physical Volumes

Check status of Physical Volumes on the system:

$ sudo pvdisplay

I only see the boot device. This means no Physical Volume has been created yet on the ss

$ sudo pvdisplay
--- Physical volume ---
PV Name /dev/sda2
VG Name vgmint
PV Size 931.01 GiB / not usable 4.00 MiB
Allocatable yes (but full)
PE Size 4.00 MiB
Total PE 238338
Free PE 0
Allocated PE 238338
PV UUID kGgo6r-HbVW-R0H8-Z4Ll-fGTO-fMej-O0iREI

Create the new Physical Volume on /dev/nvme0n1:

$ sudo pvcreate /dev/nvme0n1
$ sudo pvcreate /dev/nvme0n1
Physical volume "/dev/nvme0n1" successfully created.

Check and confirm:

$ sudo pvdisplay
$ sudo pvdisplay
--- Physical volume ---
PV Name /dev/sda2
VG Name vgmint
PV Size 931.01 GiB / not usable 4.00 MiB
Allocatable yes (but full)
PE Size 4.00 MiB
Total PE 238338
Free PE 0
Allocated PE 238338
PV UUID kGgo6r-HbVW-R0H8-Z4Ll-fGTO-fMej-O0iREI

"/dev/nvme0n1" is a new physical volume of "<1.82 TiB"
--- NEW Physical volume ---
PV Name /dev/nvme0n1
VG Name
PV Size <1.82 TiB
Allocatable NO
PE Size 0
Total PE 0
Free PE 0
Allocated PE 0
PV UUID lda15M-nH4L-CEok-QDat-2A1O-dPBI-VeTeEK

We now have the new Physical Volume on /dev/nvme0n1

Volume Group

Check the status of existing Volume Groups:

$ sudo vgdisplay
$ sudo vgdisplay
--- Volume group ---
VG Name vgmint
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 3
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 2
Open LV 2
Max PV 0
Cur PV 1
Act PV 1
VG Size <931.01 GiB
PE Size 4.00 MiB
Total PE 238338
Alloc PE / Size 238338 / <931.01 GiB
Free PE / Size 0 / 0
VG UUID 88rFXN-yf9R-epV4-msvR-5cRr-zl0v-qxFUEd

You see that there already exists a Volume Group named vgmint where the root filesystem is installed.

Create the new Volume Group named vgnvme on the newly created /dev/nvme0n1 physical volume like this:

$ sudo vgcreate vgnvme /dev/nvme0n1
$ sudo vgcreate vgnvme /dev/nvme0n1
Volume group "vgnvme" successfully created

Then confirm it was created correctly:

$ sudo vgdisplay vgnvme
$ sudo vgdisplay vgnvme
--- Volume group ---
VG Name vgnvme
System ID
Format lvm2
Metadata Areas 1
Metadata Sequence No 1
VG Access read/write
VG Status resizable
MAX LV 0
Cur LV 0
Open LV 0
Max PV 0
Cur PV 1
Act PV 1
VG Size <1.82 TiB
PE Size 4.00 MiB
Total PE 476932
Alloc PE / Size 0 / 0
Free PE / Size 476932 / <1.82 TiB
VG UUID pH9fRB-QXRz-IGkL-t57V-xVXm-NP15-rf9vlA

Logical Volume

Now review the existing Logical Volumes on the system with the lvdisplay command:

$ sudo lvdisplay
$ sudo lvdisplay
--- Logical volume ---
LV Path /dev/vgmint/root
LV Name root
VG Name vgmint
LV UUID Oq70Uf-b9zI-zQE1-134v-Zi0t-M6ee-jGYgD1
LV Write Access read/write
LV Creation host, time mint, 2024-08-27 18:47:19 -0400
LV Status available
# open 1
LV Size <929.10 GiB
Current LE 237849
Segments 1
Allocation inherit
Read ahead sectors auto
currently set to 256
Block device 252:0 

--- Logical volume ---
LV Path /dev/vgmint/swap_1
LV Name swap_1
VG Name vgmint
LV UUID 82mxHk-oqhS-I1DF-HsRo-OaBs-S5la-lG70HE
LV Write Access read/write
LV Creation host, time mint, 2024-08-27 18:47:19 -0400
LV Status available open 2 LV Size 1.91 GiB
Current LE 489
Segments 1
Allocation inherit
Read ahead sectors auto
currently set to 256
Block device 252:1

You see that I have en existing Logical Volume named root for the root filesystem and another named swap_1 for the swap space. Both Logical Volumes reside on the vgmint Volume Group.

Now create a new Logical Volume named volnvme on the newly created vgnvme Volume Group. Create it using the maximum space allowed on the Volume Group:

$ sudo lvcreate -n volnvme -l 100%FREE vgnvme
$ sudo lvcreate -n volnvme -l 100%FREE vgnvme
Logical volume "volnvme" created.

Then confirm it was created correctly. Use volume_group/volume_name format when displaying:

$ sudo lvdisplay vgnvme/volnvme
$ sudo lvdisplay vgnvme/volnvme
--- Logical volume ---
LV Path /dev/vgnvme/volnvme
LV Name volnvme
VG Name vgnvme
LV UUID v2DC8Q-XQPk-aFUU-X8wR-XWCq-RCYx-i80TFB
LV Write Access read/write
LV Creation host, time Gob, 2024-09-01 16:43:52 -0400
LV Status available
# open 0
LV Size <1.82 TiB
Current LE 476932
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:2

This shows the correctly created Logical Volume that is associated with the Volume Group.

Create Filesystem

Before we can use it we need to create a filesystem on the Logical volume. I’m going to create a ext4 filesystem:

$ sudo mkfs.ext4 /dev/vgnvme/volnvme
$ sudo mkfs.ext4 /dev/vgnvme/volnvme
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 488378368 4k blocks and 122101760 inodes
Filesystem UUID: 74388657-077d-46ca-adb4-44e986ff6c47
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
102400000, 214990848

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

Mount the Logical Volume

Now that you have the file system created you are ready to mount it somewhere. I want to mount it within my own user’s home directory. I need to create a mount point for this:

$ mkdir -p ~/mnt/nvme

Notice I did not use sudo. I want this directory structure and all files own by my user.

Now test mount the new Logical volume on the location you created for it like this:

$ sudo mount /dev/vgnvme/volnvme /home/mac/mnt/nvme

If everything went as expected you should not get any response to the above command.

Verify that the Logical Volume is mounted:

$ mount | grep /dev/mapper/vgnvme-volnvme
$ mount | grep /dev/mapper/vgnvme-volnvme
/dev/mapper/vgnvme-volnvme on /home/mac/mnt/nvme type ext4 (rw,relatime)

If you check file and group ownership of the /home/mac/mnt/nvme directory at this point you will see that it is owned by root even though we created it without sudo. This is because we had to mount it as root and it took on root ownership. Now that is is mounted you can change this ownership:

$ cd ~/mnt
$ sudo chown -R mac:mac ~/mnt/nvme/

Now un-mount the filesystem:

$ sudo umount /home/mac/mnt/nvme

Automatically mount this filesystem when booting

I want this filesystem to always be automatically mounted when the system boots. This means there needs to be an entry in the /etc/fstab file that directs the system to mount it.

First you will need to see what the mapper for this filesystem is. You can find it by doing a listing in /dev/mapper:

$ ll /dev/mapper

I see the following:

$ ll /dev/mapper
total 0
crw------- 1 root root 10, 236 Aug 30 17:54 control
lrwxrwxrwx 1 root root 7 Aug 30 17:54 vgmint-root -> ../dm-0
lrwxrwxrwx 1 root root 7 Aug 30 17:54 vgmint-swap_1 -> ../dm-1
lrwxrwxrwx 1 root root 7 Sep 1 16:43 vgnvme-volnvme -> ../dm-2

It looks like my mapper device is /dev/mapper/vgnvme-volnvme

Now, edit the /etc/fstab file as root user and add a section that looks like this:

# Internal NVME Disk
/dev/mapper/vgnvme-volnvme /home/mac/mnt/nvme ext4 errors=remount-ro 0 1

Tell the systemctl daemon to reload:

$ sudo systemctl daemon-reload

Now tell the system to mount that filesystem:

$ sudo mount /dev/mapper/vgnvme-volnvme

Confirm the file system is mounted:

$ mount | grep /dev/mapper/vgnvme-volnvme

Once you have confirmed you can reboot the system and confirm that the new filesystem automatically mounts on a reboot.

Linux, Linux Mint, Sys Admin , , , , , , , , , ,

Linux Mint 22.x

Leave a comment Posted by on August 31, 2024

These are my notes on configuring Linux Mint 22.x.

Linux Mint 22.x is based on Ubuntu 24.04. Make sure to read the Ubuntu release notes.

If you find this and think it is useful, leave a comment and say what you like or don’t like. Keep in mind these are my own notes and are not intended to be a HowTo for the general public.

This installation was done on an Dell Optiplex 7050. I’m also installing on Oracle Virtual Box so I will add some additional steps for that which will be noted as extra steps for Virtual Box.

Disable Secure Boot

I attempted to install with Secure Boot enabled, but it seems that Linux Mint has an issue installing certain drivers with secure boot enabled. This is not really something I need so I am disabling Secure Boot in the bios to not be hassled with it.

Install Linux Mint 22.x.

As of this writing it is Mint 22.0. I typically avoid a .0 release, but I just got a new computer and this OS was just released so we’ll see how it goes. I may update these instructions as newer versions come out. Without going into lots of detail on how to install Linux Mint which has been covered in many other HowTos I am just focusing on what I do to configure it to my liking. I am installing on a fresh new disk. I did install multimedia codecs. If you have turned off Secure Boot as mentioned earlier you will not have any additional prompts in this area.

I did select Advanced Features in the Installation Type window and selected to use LVM with the new installation. I did choose to erase disk because this is a new disk and a fresh install. I did choose to encrypt my home directory. I did encrypt home directory.

The installation is pretty straight forward and not complicated.

Up and Running

Virtual Box Guest Additions

As I mentioned I am also installing Linux Mint 22 on a Virtual machine so for Virtual Box Virtual Machine you will need to install Guest Additions. Ignore this if you are doing on a physical machine.

  1. Click Devices
  2. Insert Guest Additions CD image
  3. Click ‘Run’
  4. Type your password

This will install guest additions and allow you to resize your screen on the fly.

First Steps

When you first Launch Linux Mint you will get a Welcome Screen. On the left click ‘First Steps’.

Desktop Colors: I kept the default
Update Manager: Launch the Update Manager and update everything.
Driver Manager: When I launch I get a message that no drivers are needed.
System Snapshots: I will address at a later time.
Firewall: Also addressed later.

Firmware

I want to make sure my firmware (bios and other firmware) are up to date. Do that by doing the following:

$ sudo apt install fwupd
$ fwupdmgr get-updates
$ fwupdmgr update

Then follow the prompts to update. The system will reboot and do the updates then reboot again.

Sudoers

Edit the /etc/sudoers file so you don’t have to put your password in each time:

$ sudo visudo

There will be a line that looks like this:

%sudo ALL=(ALL:ALL) ALL

Comment out that line and make it look like this:

%sudo ALL=(ALL) NOPASSWD: ALL

Now when you use sudo you will not have to enter your password.

Install OpenSSH Server

Install SSH Server so you can ssh to the host:

$ sudo apt install openssh-server -y

Test ssh to the new host. You may during this process encounter an error regarding an “Offending ECDSA key in ~/.ssh/known_hosts”. This is easily resolved by deleting the referenced line in ~/.ssh/known_hosts.

I’ve also experienced an issue where when attempting to ssh to this new host via name it does not work. SSH via IP address does work. DNS resolution is correct. I even have the host in /etc/hosts. No dice.

I was finally able to resolve the issue by putting an entry into the ssh config file on my SSH from host in the ~/.ssh/config.d/LocalHosts.conf file. The entry in this file looks like this:

Host pop
  Hostname 192.168.20.34
  ForwardX11 yes
  ForwardX11Trusted yes

This seems to have solved the problem. I suspect I have some other conflicting entry in my ssh config files that are preventing this, but I can’t find it.

SSH Keys:

Now that you can ssh to your new host you will want to be able to ssh using your ssh key instead of password. From the remote host do this:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [newhostname]

You will be prompted to enter the password for the New Host. It will copy over your public ssh key from ~/.ssh/id_rsa.pub. This assumes your public ssh key is indeed ~/.ssh/id_rsa.pub.

You should be able to ssh to the new host now without entering your password.

(Optional) Now copy all the ~/.ssh directory contents from your old host into this new host so you have the keys, the known hosts and authorized keys files from your user on the old host and now have them on your new host.

From the old host:

$ cd ~/.ssh
$ scp -r * [new-host-name]:~/.ssh

Hosts file:

Copy the Home Network section of your /etc/hosts file from the old host to the /etc/hosts file on the new host.

pCloud

Instead of
Dropbox I’ve decided to try pCloud. It is half as much money and much easier to set up. Pretty much all you have to do is create an account on pCloud then download the software binary and run it. It will install and run every time you boot your computer. Put the binary in /usr/bin, then after you run it, check Startup Applications to make sure it is starting each time and from correct path. Test by rebooting to see if it starts automatically.

I got the basic account which gives me 500 GB of storage which is more than I need. So far this has worked very well for me and is much less problematic than DropBox. I’ve not tried on MacOS or Windows yet but usually Linux is where most of the problems come from.

Install KeepassXC

Keepass XC is the greatest Password Safe in my humble opinion.

Install it:

$ sudo apt install keepassxc -y

Install Chrome

You’ll need Chrome as well

Go to https://www.google.com/chrome/

Click the Download Chrome button. Mine automatically downloaded into ~/Downloads. The 64 bit version was automatically selected.

Install it like this:

$ cd ~/Downloads
$ sudo apt install ./google-chrome-stable_current_amd64.deb

This will automatically install a repository as well for future updates.

Install Signal

Create a temporary directory off of your home directory:

$ mkdir -p ~/tmp
$ cd ~/tmp

Install the Signal official public software signing key:

$ wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
$ cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null

Add the Signal repository to your list of repositories:

$ echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | sudo tee /etc/apt/sources.list.d/signal-xenial.list

Note that noble is the Ubuntu version that corresponds to Mint 22, but they don’t have a repo for noble so you need to use the xenial repo as shown above.

Update your package database and install Signal:

$ sudo apt update && sudo apt install signal-desktop

Now from the start menu, find signal and run it. You will be prompted to scan a QR code from your signal app on your phone. Go to three dots > Settings > Linked Devices and scan the QR Code.

Now edit the startup line in /usr/share/applications/signal-desktop.desktop to look like this:

Exec=/opt/Signal/signal-desktop --use-tray-icon --no-sandbox %U

This will keep Signal alive in your system tray when you close it.

You will also want to add signal to the automatic startup list. [Super Key] > Startup Applications. Click the ‘+’ sign and ‘Choose Application‘, find Signal, select it the click ‘Add Application’. You can also edit the config to have a start delay to give the PC some time to settle before starting it. I delayed it for 120 seconds.

Additional Software

There are other software packages I commonly use that need to be installed:

$ sudo apt install  kwrite kate terminator sshuttle vim sshpass nfs-common gparted imagemagick whois lsscsi -y

Mount NFS Share

Mount the NFS share of your old workstation or other server. Create a mount point:

$ mkdir -p /mnt/[nfs-host-name]
$ mkdir -p /mnt/nfs-pop

Make sure the NFS server is in your /etc/hosts file by name.

Test mount the remote NFS Server at your newly created mount point:

$ sudo mount [nfs-server]:/home/mac/mnt/nvme /mnt/[mount-point]
$ sudo mount pop:/home/mac/mnt/nvme /mnt/nfs_pop

Edit the /etc/fstab file to create an entry in it:

# External Mount
pop:/home/mac/mnt/nvme /mnt/nfs_pop nfs rw,soft,noauto 0 0

Now you can simply mount or un-mount the NFS server with the following commands:

$ sudo mount /mnt/nfs_pop
$ sudo umount /mnt/nfs_pop

There may be firewall rules in play that you will have to set or open.

Crossover

Get the most recent version of Crossover here:
https://www.codeweavers.com/crossover

Get the free trial and download to your machine.

Then install like this:

$ sudo apt install ./crossover_[version-number].deb

Before you attempt to run any bottle you will need to install this library:

$ sudo apt-get install liblcms2-2:i386

This will install a bunch of other dependencies as well.

Register the installation of CrossOver before you attempt to install anything.

To export a bottle from one machine to another, in this case Quicken, which is the only reason for running Crossover, do this:

  1. Open Crossover
  2. Right Click on the Quicken_Classic Bottle.
  3. Choose ‘Export Quicken_Classic to Archive’
  4. Choose a location to save it. It is a good idea to time stamp the file to not overwrite a previous working bottle export.
  5. On the new machine go to Menu > Bottle > Import Bottle Archive
  6. Browse to where you stored the archive, click it and click ‘Restore’.
  7. I get a message that CrossOver needs to install several Linux packages in order to run Windows applications. Click Yes. This will install a butt load of libraries and dependencies.
  8. You may actually think it is stuck but when it seems to stop doing something see if the ‘Continue’ button is active and if so, click it.
  9. The process will sit there for a bit acting like it is stuck. I let is sit for a few minutes then came back and x’ed out of where it was. Closed Crossover and started it again. It seems to have installed the bottle.
  10. Finally your bottle should be imported.
  11. Make your symlinks to your datafiles to your home directory because Crossover has issues with finding files that are deep.
  12. Crossover only needs your email address and login password to register. There is no serial number.

Surprisingly this was the first time importing a bottle worked flawlessly. This is a new version on new machine so maybe they worked the kinks out of it.

VueScan

Get the latest version here:
https://www.hamrick.com/alternate-versions.html

Install it and put you serial number and registration number in.

Profile

Modify your profile.

Edit ~/.bashrc and change

alias ll='ls -alF'

to

alias ll='ls -lF'

Set your $PATH to include ~/bin

# Set your path to inclue $HOME/bin
PATH="$HOME/bin:$PATH"

Save the file and then source it like this:

$ source ~/.bashrc

Additional Packages

Here’s a way you can see what packages you have on your old machine and compare to what you have on your new machine.

On the old machine do:

$ sudo apt list --installed | cut -f1 -d/ | sort > installed.[old-hostname]

Then on the new machine do:

$ sudo apt list --installed | cut -f1 -d/ | sort > installed.[new-hostname]

Then SCP the installed.[new-hostname] file to the old host and then compare them like this:

$ diff installed.gob installed.pop | grep ‘<‘

This will give you a list of packages that are installed on the old host but not on the new host. It turns out I had quite a few. Go thru the list and see what you need on the new.

The majority of the packages you find will probably be dependencies for some other package you installed. If you don’t know what a package is for you can easily check information about it with:

$ apt show [package-name]

The majority of the packages I found this way are libraries that are dependencies for other packages I have installed over time.

I found a few packages that I think are useful and should probably be installed:

$ sudo apt install gimp git nmap nmap-common traceroute ethtool ffmpeg guake steam sysstat

Install Spotify

Want to play your Spotify play lists? Install Spotify from the Software Manager. Just search for it and install it.

You should now be able to log into Spotify and play your music.

Mount Additional Drives

See this post Logical Volume on Nvme disk

Install Virtual Box

See this post to install Install VirtualBox 7.0 on Linux Mint 21.x or Linux Mint 22.x

Linux, Linux Mint, Sys Admin

Install VirtualBox 7.0 on Linux Mint 21.x or Linux Mint 22.x

1 Comment Posted by on March 11, 2023

This is what I did to install VirtualBox 7.0 on my new Linux Mint 21.x workstation.
Also done the same procedure on Linux Mint 22.x.

See the VirtualBox Wiki for the deets on VirtualBox 7.0

  1. Ensure your system has been updated:
    $ sudo apt update && sudo apt upgrade -y
  2. Download the VirtualBox GPG Keys:
    $ curl https://www.virtualbox.org/download/oracle_vbox_2016.asc | gpg --dearmor > oracle_vbox_2016.gpg
    $ curl https://www.virtualbox.org/download/oracle_vbox.asc | gpg --dearmor > oracle_vbox.gpg
  3. Import the VirtualBox GPG Keys:
    $ sudo install -o root -g root -m 644 oracle_vbox_2016.gpg /etc/apt/trusted.gpg.d/
    $ sudo install -o root -g root -m 644 oracle_vbox.gpg /etc/apt/trusted.gpg.d/
  4. There does not appear to be an official repository for Linux Mint, but Linux Mint 21.x is derived from Ubuntu 22.04 which is code named ‘Jammy’.
    Linux Mint 22.x is derived from Ubuntu 24.04 which is code named ‘Noble’.
    Add the ‘Jammy’ or ‘Noble’ VirtualBox Repository to the system.:
    $ echo "deb [arch=amd64] http://download.virtualbox.org/virtualbox/debian \
    jammy contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
    $ echo "deb [arch=amd64] http://download.virtualbox.org/virtualbox/debian \
    noble contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
  5. Update the Repositories:
    $ sudo apt update
  6. Install Linux Headers:
    $ sudo apt install linux-headers-$(uname -r) dkms
  7. Install VirtualBox 7.0:
    $ sudo apt install virtualbox-7.0
    Or install VirtualBox 7.1:
    $ sudo apt install virtualbox-7.1
  8. Download the VirtualBox Extension Pack:
    $ cd ~/Downloads
    $ VER=$(curl -s https://download.virtualbox.org/virtualbox/LATEST.TXT)
    $ wget https://download.virtualbox.org/virtualbox/$VER/Oracle_VM_VirtualBox_Extension_Pack-$VER.vbox-extpack
  9. Install the Extension Pack:
    $ sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-*.vbox-extpack
  10. You will be prompted to accept license terms. Do so and the Extension Pack will get installed.
  11. You can now launch VirtualBox from the Desktop menu.
Linux Mint, Sys Admin ,

Linux Mint 21.x

Leave a comment Posted by on January 3, 2023

These are my notes on configuring Linux Mint 21.x.

Linux Mint 21.x is based on Ubuntu 22.04.

If you find this and think it is useful, leave a comment and say what you like or don’t like. Keep in mind these are my own notes and are not intended to be a HowTo for the general public.

This installation was done on an Dell Optiplex 7050. I’m also installing on Oracle Virtual Box so I will add some additional steps for that which will be noted as extra steps for Virtual Box.

Disable Secure Boot

I configured the Dell BIOS to have Secure Boot Disabled. It is possible to install this and have Secure Boot Enabled but for my purposes this is simply a hassle that I don’t need and the benefits are negligible for a home computer.

Install Linux Mint 21.x.

As of this writing it is Mint 21.1. I may update these instructions as newer versions come out. Without going into lots of detail on how to install Linux Mint which has been covered in many other HowTos I am just focusing on what I do to configure it to my liking. I am installing on a fresh new disk. I did install multimedia codecs. If you have turned off Secure Boot as mentioned earlier you will not have any additional prompts in this area.

I did select Advanced Features in the Installation Type window and selected to use LVM with the new installation. I did choose to erase disk because this is a new disk and a fresh install. I did choose to encrypt my home directory. Maybe not? Testing without encrypting.

The installation is pretty straight forward and not complicated.

Up and Running

Virtual Box Guest Additions

For Virtual Box Virtual Machine you will need to install Guest Additions

  1. Click Devices
  2. Insert Guest Additions CD image
  3. Click ‘Run’
  4. Type your password

This will install guest additions and allow you to resize your screen on the fly.

First Steps

When you first run Mint you will get a Welcome Screen. On the left click First Steps.

Panel Layout. I like Traditional Panel Layout.

Launch the Update Manager and update everything. You may need to reboot at this point.

Launch Driver Manager and see if you need any drivers. I did not need any.

I’ll talk about System Snapshots a little later.

I will address Firewall a little later as well.

The other items on First Steps are pretty much self explanatory.

Firmware

I get a message when I did the updates that the firmware was outdated. I was able to resolve the issue by doing the following:

$ sudo apt install fwupd
$ fwupdmgr get-updates
$ fwupdmgr update

Then follow the prompts to update. The system will reboot and do the updates then reboot again.

Synergy

I’m putting Synergy first. For me it makes it easier to set up my new machine alongside my old one and use the single keyboard and mouse. That way I don’t have to switch back and forth on the keyboard.

Linux Mint 21 is based on Ubuntu 22.04 LTS. See: https://en.wikipedia.org/wiki/Linux_Mint

Go to https://symless.com/account and sign in. Go to the download page and get the package for Synergy 1. Synergy 2 is no longer supported and is not backwards compatible. Synergy 3 is in beta if interested. Download the Ubuntu 22 package and save it to ~/Downloads.

Install it on both the Server and Client computer. Make sure the same version is on both computers.:

$ cd ~/Downloads
$ sudo apt install ./synergy_1.14.6-snapshot.88fdd263_ubuntu22_amd64.deb

Now from the desktop menu select Synergy and run it.

  • You will be prompted to name the computer. If your computer already has a name then it will suggest the name for you. Click ‘Apply’.
  • You will be prompted to enter your serial key. This can be found on the Account page on the Synergy web site.
  • You will be prompted to select to either ‘Use this computer’s keyboard and mouse…’ or ‘Use another computer’s keyboard and mouse…’. In this case I am using another computer’s keyboard and mouse. Select the appropriate response.
  • Type in the IP address of the Server. Click ‘Connect’
  • You will get a ‘Security Question’ about the Server’s fingerprint. Read that and click ‘Yes’.
  • On the Server side you need to click the ‘Configure Server’ button to configure the layout.
  • If you run into trouble you should go into preferences and un-check ‘Enable TLS encryption’ on both Server and Client and get it working without TLS. Then once it is working switch to TLS.
  • From the new computer’s startup menu find ‘Startup Application’ and add Synergy to startup list. I’ve added a startup delay of about 30 seconds.
  • Once you have everything working correctly you should go to Preferences in both Server and Client and click both ‘Hide on startup’ and ‘Minimize to system tray’. Now you can minimize and not have it open in your task bar.

Synergy 3

Synergy 3 has been released. I’m adding this section to test to see if it is worth trying.

Go to https://symless.com/account and sign in. Go to the download page and get the package for Synergy 3. Download the Ubuntu 22 package and save it to ~/Downloads.

Install it on both the Server and Client computer. Make sure the same version is on both computers.:

$ cd ~/Downloads
$ sudo apt install ./synergy-linux_x64-libssl3-v3.0.80.1-rc3.deb

There were some warnings with the installation. I’m not real sure on if they are significant. Now from the desktop menu select Synergy and run it. This opens a splash screen that says it is Synergy 3 RC3.

Click the second method that says “Offline serial key”.
You will be prompted to enter your Serial Key. Copy and paste here then click ‘Log in’ button.
On the next secreen, name the Computer and click Next.
It will now show a layout screen where multiple computers are. You will need a second Computer running the same version for this to work.
Arrange the screens so they are positioned the way you want them.
Once you have the computers the way you want you should be able to click “Done” which is in a text box at the top of this screen.

Sudoers

Edit the /etc/sudoers file so you don’t have to put your password in each time:

$ sudo visudo

There will be a line that looks like this:

%sudo ALL=(ALL:ALL) ALL

Comment out that line and make it look like this:

%sudo ALL=(ALL) NOPASSWD: ALL

Now when you use sudo you will not have to enter your password.

Install OpenSSH Server

Install SSH Server so you can ssh to the host:

$ sudo apt install openssh-server -y

Test ssh to the new host. You may during this process encounter an error regarding an “Offending ECDSA key in ~/.ssh/known_hosts”. This is easily resolved by deleting the referenced line in ~/.ssh/known_hosts.

I’ve also experienced an issue where when attempting to ssh to this new host via name it does not work. SSH via IP address does work. DNS resolution is correct. I even have the host in /etc/hosts. No dice.

I was finally able to resolve the issue by putting an entry into the ssh config file on my SSH from host in the ~/.ssh/config.d/LocalHosts.conf file. The entry in this file looks like this:

Host pop
  Hostname 192.168.20.34
  ForwardX11 yes
  ForwardX11Trusted yes

This seems to have solved the problem. I suspect I have some other conflicting entry in my ssh config files that are preventing this, but I can’t find it.

SSH Keys:

Now that you can ssh to your new host you will want to be able to ssh using your ssh key instead of password. From the remote host do this:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub [newhostname]

You will be prompted to enter the password for the New Host. It will copy over your public ssh key from ~/.ssh/id_rsa.pub. This assumes your public ssh key is indeed ~/.ssh/id_rsa.pub.

You should be able to ssh to the new host now without entering your password.

(Optional) Now copy all the ~/.ssh directory contents from your old host into this new host so you have the keys, the known hosts and authorized keys files from your user on the old host and now have them on your new host.

From the old host:

$ cd ~/.ssh
$ scp -r * [new-host-name]:~/.ssh

Hosts file:

Copy the Home Network section of your /etc/hosts file from the old host to the /etc/hosts file on the new host

Dropbox

Install Dropbox and python3-gpg packages

$ sudo apt install dropbox python3-gpg

Then go to start menu and find Dropbox and run it.

You will get a message that says in order to use Dropbox you must download the proprietary daemon. Click OK

A Web Page will pop up where you enter your credentials. Do so. You can now open the DropBox client in the toolbar.

Install KeepassXC

Keepass XC is the greatest Password Safe in my humble opinion.

Install it:

$ sudo apt install keepassxc -y

Install Chrome

You’ll need Chrome as well

Go to https://www.google.com/chrome/

Click the Download Chrome button. Mine automatically downloaded into ~/Downloads. The 64 bit version was automatically selected.

Install it like this:

$ cd ~/Downloads
$ sudo apt install ./google-chrome-stable_current_amd64.deb

This will automatically install a repository as well for future updates.

Install Signal

Go to https://signal.org/en/download/
Click on Download for Linux and follow the instructions that pop up.

After you install Signal edit the startup line in /usr/share/applications/signal-desktop.desktop to look like this:

Exec=/opt/Signal/signal-desktop --use-tray-icon --no-sandbox %U

Additional Software

There are other software packages I need. I’ll do them one at a time because I don’t want to confuse error message between one package or another:

$ sudo apt install kwrite -y
$ sudo apt install kate -y
$ sudo apt install terminator -y
$ sudo apt install sshuttle -y
$ sudo apt install vim -y
$ sudo apt install sshpass -y
$ sudo apt install nfs-common -y
$ sudo apt install gparted -y
$ sudo apt install imagemagick -y
$ sudo apt install whois -y
$ sudo apt install lsscsi -y

Mount NFS Share

Create a mount point:

$ cd ~
$ mkdir -p mnt/[nfs-server-host-name]

Edit /etc/fstab and add these lines:

# External Mounts
[nfs-server-host-name]:[path-to-nfs-export] /home/[your-user]/mnt/[nfs-server-host-name] nfs rw,soft,noauto 0 0

Edit /etc/hosts and add the IP address of Serenity.

Then mount the NFS share:

$ sudo mount [nfs-server-host-name]:[path-to-nfs-export]

You will need to modify the firewall rule on the NFS server to allow connections from your new host before this will work.
https://squoggle.wordpress.com/2020/05/04/iptables/

Mount External Hard Drive

See what device your External USB device shows up as:

$ lsscsi
[0:0:0:0] disk ATA Samsung SSD 860 4B6Q /dev/sda
[1:0:0:0] cd/dvd HL-DT-ST DVD+-RW GU90N A1C2 /dev/sr0
[4:0:0:0] disk WD Elements 25A1 1018 /dev/sdb

In my case it shows up as /dev/sdb
Edit your /etc/fstab file and make an entry like this:

# Western Digital Elements Backup Drive
/dev/sdb1    /home/mac/mnt/WD    ntfs    rw,relatime,user_id=0,group_id=0,allow_other   0 0

Create a mount point for the External Hard Drive

$ mkdir -p ~/mnt/WD

Then mount

$ sudo mount -a

Something else here.

Install Slack:

Go to https://slack.com/downloads/linux
Download the .deb 64 bit package into your ~/Downloads directory.
Then install it:

$ cd ~/Downloads
$ sudo apt install ./slack-desktop-4.29.149-amd64.deb

Crossover

Get the most recent version of Crossover here:
https://www.codeweavers.com/crossover

Get the free trial and download to your machine.

Then install like this:

$ sudo apt install ./crossover_[version-number].deb

Before you attempt to run any bottle you will need to install this library:

$ sudo apt-get install liblcms2-2:i386

This will install a bunch of other dependencies as well.

To export a bottle from one machine to another, in this case Quicken, which is the only reason for running Crossover, do this:

  1. Open Crossover
  2. Right Click on the Quicken Bottle.
  3. Choose ‘Export Quicken 2017 to Archive’
  4. Choose a location to save it. It is a good idea to time stamp the file to not overwrite a previous working bottle export.
  5. On the new machine go to Menu > Bottle > Import Bottle Archive
  6. Browse to where you stored the archive, click it and click ‘Restore’.
  7. I get a message that CrossOver needs to install several Linux packages in order to run Windows applications. Click Yes. This will install a butt load of libraries and dependencies.
  8. You may actually think it is stuck but when it seems to stop doing something see if the ‘Continue’ button is active and if so, click it.
  9. The process will sit there for a bit acting like it is stuck. Just be patient.
  10. Finally your bottle should be imported.
  11. Make your symlinks to your datafiles to your home directory because Crossover has issues with finding files that are deep.
  12. Crossover only needs your email address and login password to register. There is no serial number.

Surprisingly this was the first time importing a bottle worked flawlessly. This is a new version on new machine so maybe they worked the kinks out of it.

VueScan

Get the latest version here:

https://www.hamrick.com/alternate-versions.html

Profile

Modify your profile.

Edit ~/.bashrc and change

alias ll='ls -alF'

to

alias ll='ls -lF'

Set your $PATH to include ~/bin

# Set your path to inclue $HOME/bin
PATH="$HOME/bin:$PATH"

Save the file and then source it like this:

$ source ~/.bashrc

Additional Packages

Here’s a way you can see what packages you have on your old machine and compare to what you have on your new machine.

On the old machine do:

$ sudo apt list --installed | cut -f1 -d/ | sort > installed.[old-hostname]

Then on the new machine do:

$ sudo apt list --installed | cut -f1 -d/ | sort > installed.[new-hostname]

Then SCP the installed.[new-hostname] file to the old host and then compare them like this:

$ diff installed.gob installed.pop | grep ‘<‘

This will give you a list of packages that are installed on the old host but not on the new host. It turns out I had quite a few. Go thru the list and see what you need on the new.

The majority of the packages you find will probably be dependencies for some other package you installed. If you don’t know what a package is for you can easily check information about it with:

$ apt show [package-name]

The majority of the packages I found this way are libraries that are dependencies for other packages I have installed over time.

I found a few packages that I think are useful and should probably be installed:

alien
gimp
gparted
git
mlocate
nmap
traceroute

This is a short list of many.

Other Must See Pages

At this point you should be up and running and ready to work. However there are a lot more things that I typically use on a day to day basis when using Linux Mint.

This list is not an extensive list but may be of help:

Install VirtualBox 7.0 on Linux Mint 21.x

Key Store Explorer

Installing ZenMap in UBUNTU 22.04

How to Install Zenmap on Ubuntu 22.04

How to install Proton VPN on Linux Mint

How to use the Proton VPN Linux app

Install JetBrains Toolbox App Then use the Toolbox to install PyCharm and DataGrip


Linux Mint, Sys Admin

Certificate Revocation List (CRL)

Leave a comment Posted by on December 15, 2022

Certificate Revocation Lists (CRLs) are used in public key infrastructure (PKI) to identify digital certificates that have been revoked by the certificate authority (CA) before their expiration date.

When a CA revokes a digital certificate, it adds the certificate’s serial number to the CRL. The CRL is then distributed to users who rely on the PKI, such as web browsers and other software that verify digital certificates.

When a user encounters a digital certificate that has been revoked, their software checks the CRL to confirm that the certificate is no longer valid. If the certificate’s serial number is listed on the CRL, the software will reject the certificate and prevent the user from accessing the website or resource protected by the certificate.

CRL Expiration

The client typically gets a new Certificate Revocation List (CRL) from the Certificate Authority (CA) when the existing CRL expires or when there have been changes to the status of certificates that have been revoked.

When a CA revokes a digital certificate, it adds the certificate’s serial number to the CRL. The CRL contains a list of all the revoked certificates, along with their revocation status and the reason for revocation.

The CRL has an expiration date and time, after which it is no longer considered valid. The expiration date is typically set by the CA when the CRL is issued, and it is usually a few days to a few weeks after the issue date. When the CRL is about to expire, the client will check with the CA to obtain a new CRL that is valid for the next period.

In addition to the expiration date, the client may also obtain a new CRL if there are changes to the revocation status of certificates that have been previously listed in the CRL. This can happen if a certificate that was previously revoked is now reinstated, or if a certificate that was previously valid is now revoked.

The client can obtain a new CRL from the CA via various means, such as through online updates or downloads. Some PKIs also use alternative methods of certificate revocation, such as Online Certificate Status Protocol (OCSP), which can provide real-time updates on the status of certificates.

The Good about CRL

  • Offline validation: CRLs can be downloaded and stored offline, allowing users to validate certificates even when they are not connected to the network.
  • No single point of failure: Unlike OCSP, CRLs don’t rely on a single server for validation, so they are less susceptible to single points of failure.
  • Better reliability: CRLs may be more reliable than OCSP in certain situations, such as when the CA’s OCSP server or network connectivity is experiencing issues.
  • Can cover multiple certificates: A single CRL can cover multiple certificates, reducing the amount of data that needs to be downloaded and parsed.

The Bad about CRL

  • Larger size: CRLs can become large and unwieldy as the number of revoked certificates increases, leading to longer download times and increased storage requirements.
  • Increased latency: CRLs can introduce latency into the certificate validation process, as users must download and parse the entire CRL before they can validate a certificate.
  • May be outdated: CRLs are typically updated on a periodic basis, so there is a risk that a certificate may have been revoked between updates and the user may not be aware of it.
  • May present a privacy risk: CRLs can potentially expose information about revoked certificates, which could be used by attackers to gather information about a PKI.

Overall, CRLs can be an effective means of validating certificates in a PKI, especially in situations where offline validation is important or when the number of revoked certificates is relatively small. However, they also have some drawbacks that should be considered, such as larger size, increased latency, and potential privacy risks.

Delta CRL

A Delta Certificate Revocation List (CRL) is a type of CRL that contains only the revoked certificates that have been added or changed since the previous CRL was issued. The Delta CRL is meant to be used in conjunction with the base CRL, which contains the complete list of revoked certificates.

The Delta CRL is a more efficient way of distributing certificate revocation information, as it contains only the changes to the previous CRL, rather than the entire list of revoked certificates. This can significantly reduce the size of the CRL and the time it takes to download and process it.

To use a Delta CRL, the client first downloads the base CRL, which contains the complete list of revoked certificates. The client then downloads the Delta CRL, which contains only the changes since the previous CRL. The client then merges the Delta CRL with the base CRL to obtain a complete and up-to-date list of revoked certificates.

The use of Delta CRLs can help to improve the efficiency of certificate revocation in large PKIs, especially when the number of revoked certificates is high and changes occur frequently. However, the use of Delta CRLs also requires additional management and coordination between the CA and the client, as both parties must ensure that the Delta CRL is properly applied and merged with the base CRL.

Troubleshooting CRL

Sometimes you may need to troubleshoot certificate issues by examining a CRL (Certificate Revocation List)

Download a CRL

These instructions show how you can easily download a CRL from a website. I’ll use https://duckduckgo.com/ in this example.

  1. Open Google Chrome. Navigate to https://duckduckgo.com/. Notice the padlock in the address bar.
  2. Right click on the padlock in the address bar. Click Connection is secure to see the connection details.
  3. Click Certificate is valid to open the certificate details box. Click the Details tab.
  4. In the Certificate Fields box, scroll down and click on CRL Distribution Points. In the Field Value box you will see any URLs associated with the CRL for the Certificate Authority or the Signing Certificate.
  5. Copy and paste the URL into a new window of the browser. You will be prompted to save the file. In my case I downloaded a file named DigiCertTLSRSASHA2562020CA1-4.crl.

Parse the CRL

  1. Open a terminal in the directory where you saved the CRL.
  2. Check to see if the CRL is in DER format or PEM format. Most CRLs are in DER format. If you do a simple head command on the CRL file you will see if it is a DER (binary) file or a PEM file. If it is binary you will see gibberish. If it is a PEM formatted file you will see ,“BEGIN X509 CRL—–”.
  3. Parse the CRL. If the CRL is in DER format use this syntax:
    openssl crl -inform DER -text -noout -in [crl-file] | less
    If the CRL is in PEM format use this syntax:
    openssl crl -inform PEM -text -noout -in [crl-file] | less
  4. You will see a list of all the revoked certificates that were issued by the Issuing Certificate.

OpenSSL CRL Commands Documentation

The OpenSSL CRL commands official documentation:

https://www.openssl.org/docs/man3.0/man1/openssl-crl.html

Linux Mint, SSL/TLS/OpenSSL, Sys Admin , , ,

Linux Convert Command

Leave a comment Posted by on September 27, 2020

This command requires that the imagemagick package be installed.

sudo apt install imagemagick

To combine two single page pdf files into one multi-page pdf:

convert file1.pdf file2.pdf merged.pdf

 

More to come

CentOS/RHEL, Linux Mint, Sys Admin

Create a UEFI Linux Mint USB Installation Flash Drive

Leave a comment Posted by on June 7, 2020

What you will need:

  • A USB flash drive big enough. A 4GB flash drive should be big enough.
  • The latest Linux Mint ISO image downloaded to your Windows box. I’m using version 19.3 for this.
  • Rufus. Preferably the latest version. As of this writing it is version 3.10.
  • Since Rufus is Windows software you will need a PC running Windows.

How to do it:

  1. Insert the USB drive. Determine what drive letter it is.
  2. Open Rufus. In the Device field choose your USB drive.
  3. In the Boot selection field select the ISO image for Linux Mint.
  4. For Partition scheme choose GPT.
  5. Choose NTFS for File System.
  6. Click the START button.
  7. You may see a pop up that asks you what mode to write. I have had better luck using DD image mode.
  8. You should then see a warning about overwriting the USB drive. If you are sure you can proceed.

To use the USB flash drive, insert it into the slot, reboot. When you see the splash screen hit F12 to get into boot options.
In my Dell PC I see a section that looks like this:

UEFI Boot:
        UEFI: SanDisk

Choose that to boot the Linux Mint installer OS.

Linux Mint, Sys Admin

Mount OneDrive from Linux Mint

Leave a comment Posted by on December 5, 2019

How to Mount OneDrive from Linux Mint

Don’t install Rclone from the standard repository. That version is too old.

Install Rclone:

cd ~/Downloads
wget https://downloads.rclone.org/rclone-current-linux-amd64.deb
sudo apt install ./rclone-current-linux-amd64.deb

Run the Rclone wizard:

rclone config

Select n to create a new remote:

$ rclone config
2019/12/04 20:47:41 NOTICE: Config file "/home/mac/.config/rclone/rclone.conf" not found - using defaults
No remotes found - make a new one
n) New remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
n/r/c/s/q>

Name is something meaningful like ‘onedrive’:

name> onedrive

Select 22 for Microsoft OneDrive:

22 / Microsoft OneDrive
\ "onedrive"

You will be asked for a Microsoft App Client Id. Just hit Enter to accept the default and leave blank.

You will be asked for a Microsoft App Client Secret. Hit Enter to accept the default and leave blank.

You will be asked to edit advanced config. Type N

You will be asked to use auto config. Type y :

Use auto config?
* Say Y if not sure
* Say N if you are working on a remote or headless machine
y) Yes
n) No
y/n> y

Your browser should open now and ask you to sign into OneDrive. Put in your email address. Hit next then your password and check the box to keep signed in then the sign in button.

At this point I seem to be locked out of OneDrive as my sign in did not work on this computer.

I tried again and instead of doing auto config I did N to not do auto config.

Use auto config?
* Say Y if not sure
* Say N if you are working on a remote or headless machine
y) Yes
n) No
y/n> n
For this to work, you will need rclone available on a machine that has a web browser available.
Execute the following on your machine:
rclone authorize "onedrive"
Then paste the result below:
result>

I did the above and got a very long “token” that I was able to copy and paste into this machine.

It then asked me to choose a number from below. I selected 1 for OneDrive

Then it said it found 2 drives. Not sure why. I selected drive 0

Then I was able to exit Rclone by typing q:

Current remotes:

Name Type
==== ====
onedrive onedrive

e) Edit existing remote
n) New remote
d) Delete remote
r) Rename remote
c) Copy remote
s) Set configuration password
q) Quit config
e/n/d/r/c/s/q> q

Now create a new directory:

mkdir ~/OneDrive

Now mount OneDrive:

rclone --vfs-cache-mode writes mount onedrive: ~/OneDrive

This will appear to hang your session but you can stop it by doing CTRL C

Now to start at boot up you can open Startup Applications, and in Startup Applications click Add.

After clicking Add, use the following:

Name:    Mount OneDrive
Command: sh -c "rclone --vfs-cache-mode writes mount onedrive: ~/OneDrive"
Linux Mint, Sys Admin , ,

Older posts